001 /*
002 * Copyright 1997-2006 Sun Microsystems, Inc. All Rights Reserved.
003 * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
004 *
005 * This code is free software; you can redistribute it and/or modify it
006 * under the terms of the GNU General Public License version 2 only, as
007 * published by the Free Software Foundation. Sun designates this
008 * particular file as subject to the "Classpath" exception as provided
009 * by Sun in the LICENSE file that accompanied this code.
010 *
011 * This code is distributed in the hope that it will be useful, but WITHOUT
012 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
013 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
014 * version 2 for more details (a copy is included in the LICENSE file that
015 * accompanied this code).
016 *
017 * You should have received a copy of the GNU General Public License version
018 * 2 along with this work; if not, write to the Free Software Foundation,
019 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
020 *
021 * Please contact Sun Microsystems, Inc., 4150 Network Circle, Santa Clara,
022 * CA 95054 USA or visit www.sun.com if you need additional information or
023 * have any questions.
024 */
025
026 package java.security.cert;
027
028 import java.math.BigInteger;
029 import java.security.Principal;
030 import java.security.PublicKey;
031 import java.util.Collection;
032 import java.util.Date;
033 import java.util.List;
034 import javax.security.auth.x500.X500Principal;
035
036 import sun.security.x509.X509CertImpl;
037
038 /**
039 * <p>
040 * Abstract class for X.509 certificates. This provides a standard
041 * way to access all the attributes of an X.509 certificate.
042 * <p>
043 * In June of 1996, the basic X.509 v3 format was completed by
044 * ISO/IEC and ANSI X9, which is described below in ASN.1:
045 * <pre>
046 * Certificate ::= SEQUENCE {
047 * tbsCertificate TBSCertificate,
048 * signatureAlgorithm AlgorithmIdentifier,
049 * signature BIT STRING }
050 * </pre>
051 * <p>
052 * These certificates are widely used to support authentication and
053 * other functionality in Internet security systems. Common applications
054 * include Privacy Enhanced Mail (PEM), Transport Layer Security (SSL),
055 * code signing for trusted software distribution, and Secure Electronic
056 * Transactions (SET).
057 * <p>
058 * These certificates are managed and vouched for by <em>Certificate
059 * Authorities</em> (CAs). CAs are services which create certificates by
060 * placing data in the X.509 standard format and then digitally signing
061 * that data. CAs act as trusted third parties, making introductions
062 * between principals who have no direct knowledge of each other.
063 * CA certificates are either signed by themselves, or by some other
064 * CA such as a "root" CA.
065 * <p>
066 * More information can be found in
067 * <a href="http://www.ietf.org/rfc/rfc3280.txt">RFC 3280: Internet X.509
068 * Public Key Infrastructure Certificate and CRL Profile</a>.
069 * <p>
070 * The ASN.1 definition of <code>tbsCertificate</code> is:
071 * <pre>
072 * TBSCertificate ::= SEQUENCE {
073 * version [0] EXPLICIT Version DEFAULT v1,
074 * serialNumber CertificateSerialNumber,
075 * signature AlgorithmIdentifier,
076 * issuer Name,
077 * validity Validity,
078 * subject Name,
079 * subjectPublicKeyInfo SubjectPublicKeyInfo,
080 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
081 * -- If present, version must be v2 or v3
082 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
083 * -- If present, version must be v2 or v3
084 * extensions [3] EXPLICIT Extensions OPTIONAL
085 * -- If present, version must be v3
086 * }
087 * </pre>
088 * <p>
089 * Certificates are instantiated using a certificate factory. The following is
090 * an example of how to instantiate an X.509 certificate:
091 * <pre>
092 * InputStream inStream = null;
093 * try {
094 * inStream = new FileInputStream("fileName-of-cert");
095 * CertificateFactory cf = CertificateFactory.getInstance("X.509");
096 * X509Certificate cert = (X509Certificate)cf.generateCertificate(inStream);
097 * } finally {
098 * if (inStream != null) {
099 * inStream.close();
100 * }
101 * }
102 * </pre>
103 *
104 * @author Hemma Prafullchandra
105 *
106 * @version 1.48
107 *
108 * @see Certificate
109 * @see CertificateFactory
110 * @see X509Extension
111 */
112
113 public abstract class X509Certificate extends Certificate implements
114 X509Extension {
115
116 private static final long serialVersionUID = -2491127588187038216L;
117
118 private transient X500Principal subjectX500Principal,
119 issuerX500Principal;
120
121 /**
122 * Constructor for X.509 certificates.
123 */
124 protected X509Certificate() {
125 super ("X.509");
126 }
127
128 /**
129 * Checks that the certificate is currently valid. It is if
130 * the current date and time are within the validity period given in the
131 * certificate.
132 * <p>
133 * The validity period consists of two date/time values:
134 * the first and last dates (and times) on which the certificate
135 * is valid. It is defined in
136 * ASN.1 as:
137 * <pre>
138 * validity Validity<p>
139 * Validity ::= SEQUENCE {
140 * notBefore CertificateValidityDate,
141 * notAfter CertificateValidityDate }<p>
142 * CertificateValidityDate ::= CHOICE {
143 * utcTime UTCTime,
144 * generalTime GeneralizedTime }
145 * </pre>
146 *
147 * @exception CertificateExpiredException if the certificate has expired.
148 * @exception CertificateNotYetValidException if the certificate is not
149 * yet valid.
150 */
151 public abstract void checkValidity()
152 throws CertificateExpiredException,
153 CertificateNotYetValidException;
154
155 /**
156 * Checks that the given date is within the certificate's
157 * validity period. In other words, this determines whether the
158 * certificate would be valid at the given date/time.
159 *
160 * @param date the Date to check against to see if this certificate
161 * is valid at that date/time.
162 *
163 * @exception CertificateExpiredException if the certificate has expired
164 * with respect to the <code>date</code> supplied.
165 * @exception CertificateNotYetValidException if the certificate is not
166 * yet valid with respect to the <code>date</code> supplied.
167 *
168 * @see #checkValidity()
169 */
170 public abstract void checkValidity(Date date)
171 throws CertificateExpiredException,
172 CertificateNotYetValidException;
173
174 /**
175 * Gets the <code>version</code> (version number) value from the
176 * certificate.
177 * The ASN.1 definition for this is:
178 * <pre>
179 * version [0] EXPLICIT Version DEFAULT v1<p>
180 * Version ::= INTEGER { v1(0), v2(1), v3(2) }
181 * </pre>
182 * @return the version number, i.e. 1, 2 or 3.
183 */
184 public abstract int getVersion();
185
186 /**
187 * Gets the <code>serialNumber</code> value from the certificate.
188 * The serial number is an integer assigned by the certification
189 * authority to each certificate. It must be unique for each
190 * certificate issued by a given CA (i.e., the issuer name and
191 * serial number identify a unique certificate).
192 * The ASN.1 definition for this is:
193 * <pre>
194 * serialNumber CertificateSerialNumber<p>
195 *
196 * CertificateSerialNumber ::= INTEGER
197 * </pre>
198 *
199 * @return the serial number.
200 */
201 public abstract BigInteger getSerialNumber();
202
203 /**
204 * <strong>Denigrated</strong>, replaced by {@linkplain
205 * #getIssuerX500Principal()}. This method returns the <code>issuer</code>
206 * as an implementation specific Principal object, which should not be
207 * relied upon by portable code.
208 *
209 * <p>
210 * Gets the <code>issuer</code> (issuer distinguished name) value from
211 * the certificate. The issuer name identifies the entity that signed (and
212 * issued) the certificate.
213 *
214 * <p>The issuer name field contains an
215 * X.500 distinguished name (DN).
216 * The ASN.1 definition for this is:
217 * <pre>
218 * issuer Name<p>
219 *
220 * Name ::= CHOICE { RDNSequence }
221 * RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
222 * RelativeDistinguishedName ::=
223 * SET OF AttributeValueAssertion
224 *
225 * AttributeValueAssertion ::= SEQUENCE {
226 * AttributeType,
227 * AttributeValue }
228 * AttributeType ::= OBJECT IDENTIFIER
229 * AttributeValue ::= ANY
230 * </pre>
231 * The <code>Name</code> describes a hierarchical name composed of
232 * attributes,
233 * such as country name, and corresponding values, such as US.
234 * The type of the <code>AttributeValue</code> component is determined by
235 * the <code>AttributeType</code>; in general it will be a
236 * <code>directoryString</code>. A <code>directoryString</code> is usually
237 * one of <code>PrintableString</code>,
238 * <code>TeletexString</code> or <code>UniversalString</code>.
239 *
240 * @return a Principal whose name is the issuer distinguished name.
241 */
242 public abstract Principal getIssuerDN();
243
244 /**
245 * Returns the issuer (issuer distinguished name) value from the
246 * certificate as an <code>X500Principal</code>.
247 * <p>
248 * It is recommended that subclasses override this method.
249 *
250 * @return an <code>X500Principal</code> representing the issuer
251 * distinguished name
252 * @since 1.4
253 */
254 public X500Principal getIssuerX500Principal() {
255 if (issuerX500Principal == null) {
256 issuerX500Principal = X509CertImpl
257 .getIssuerX500Principal(this );
258 }
259 return issuerX500Principal;
260 }
261
262 /**
263 * <strong>Denigrated</strong>, replaced by {@linkplain
264 * #getSubjectX500Principal()}. This method returns the <code>subject</code>
265 * as an implementation specific Principal object, which should not be
266 * relied upon by portable code.
267 *
268 * <p>
269 * Gets the <code>subject</code> (subject distinguished name) value
270 * from the certificate. If the <code>subject</code> value is empty,
271 * then the <code>getName()</code> method of the returned
272 * <code>Principal</code> object returns an empty string ("").
273 *
274 * <p> The ASN.1 definition for this is:
275 * <pre>
276 * subject Name
277 * </pre>
278 *
279 * <p>See {@link #getIssuerDN() getIssuerDN} for <code>Name</code>
280 * and other relevant definitions.
281 *
282 * @return a Principal whose name is the subject name.
283 */
284 public abstract Principal getSubjectDN();
285
286 /**
287 * Returns the subject (subject distinguished name) value from the
288 * certificate as an <code>X500Principal</code>. If the subject value
289 * is empty, then the <code>getName()</code> method of the returned
290 * <code>X500Principal</code> object returns an empty string ("").
291 * <p>
292 * It is recommended that subclasses override this method.
293 *
294 * @return an <code>X500Principal</code> representing the subject
295 * distinguished name
296 * @since 1.4
297 */
298 public X500Principal getSubjectX500Principal() {
299 if (subjectX500Principal == null) {
300 subjectX500Principal = X509CertImpl
301 .getSubjectX500Principal(this );
302 }
303 return subjectX500Principal;
304 }
305
306 /**
307 * Gets the <code>notBefore</code> date from the validity period of
308 * the certificate.
309 * The relevant ASN.1 definitions are:
310 * <pre>
311 * validity Validity<p>
312 *
313 * Validity ::= SEQUENCE {
314 * notBefore CertificateValidityDate,
315 * notAfter CertificateValidityDate }<p>
316 * CertificateValidityDate ::= CHOICE {
317 * utcTime UTCTime,
318 * generalTime GeneralizedTime }
319 * </pre>
320 *
321 * @return the start date of the validity period.
322 * @see #checkValidity
323 */
324 public abstract Date getNotBefore();
325
326 /**
327 * Gets the <code>notAfter</code> date from the validity period of
328 * the certificate. See {@link #getNotBefore() getNotBefore}
329 * for relevant ASN.1 definitions.
330 *
331 * @return the end date of the validity period.
332 * @see #checkValidity
333 */
334 public abstract Date getNotAfter();
335
336 /**
337 * Gets the DER-encoded certificate information, the
338 * <code>tbsCertificate</code> from this certificate.
339 * This can be used to verify the signature independently.
340 *
341 * @return the DER-encoded certificate information.
342 * @exception CertificateEncodingException if an encoding error occurs.
343 */
344 public abstract byte[] getTBSCertificate()
345 throws CertificateEncodingException;
346
347 /**
348 * Gets the <code>signature</code> value (the raw signature bits) from
349 * the certificate.
350 * The ASN.1 definition for this is:
351 * <pre>
352 * signature BIT STRING
353 * </pre>
354 *
355 * @return the signature.
356 */
357 public abstract byte[] getSignature();
358
359 /**
360 * Gets the signature algorithm name for the certificate
361 * signature algorithm. An example is the string "SHA-1/DSA".
362 * The ASN.1 definition for this is:
363 * <pre>
364 * signatureAlgorithm AlgorithmIdentifier<p>
365 * AlgorithmIdentifier ::= SEQUENCE {
366 * algorithm OBJECT IDENTIFIER,
367 * parameters ANY DEFINED BY algorithm OPTIONAL }
368 * -- contains a value of the type
369 * -- registered for use with the
370 * -- algorithm object identifier value
371 * </pre>
372 *
373 * <p>The algorithm name is determined from the <code>algorithm</code>
374 * OID string.
375 *
376 * @return the signature algorithm name.
377 */
378 public abstract String getSigAlgName();
379
380 /**
381 * Gets the signature algorithm OID string from the certificate.
382 * An OID is represented by a set of nonnegative whole numbers separated
383 * by periods.
384 * For example, the string "1.2.840.10040.4.3" identifies the SHA-1
385 * with DSA signature algorithm defined in
386 * <a href="http://www.ietf.org/rfc/rfc3279.txt">RFC 3279: Algorithms and
387 * Identifiers for the Internet X.509 Public Key Infrastructure Certificate
388 * and CRL Profile</a>.
389 *
390 * <p>See {@link #getSigAlgName() getSigAlgName} for
391 * relevant ASN.1 definitions.
392 *
393 * @return the signature algorithm OID string.
394 */
395 public abstract String getSigAlgOID();
396
397 /**
398 * Gets the DER-encoded signature algorithm parameters from this
399 * certificate's signature algorithm. In most cases, the signature
400 * algorithm parameters are null; the parameters are usually
401 * supplied with the certificate's public key.
402 * If access to individual parameter values is needed then use
403 * {@link java.security.AlgorithmParameters AlgorithmParameters}
404 * and instantiate with the name returned by
405 * {@link #getSigAlgName() getSigAlgName}.
406 *
407 * <p>See {@link #getSigAlgName() getSigAlgName} for
408 * relevant ASN.1 definitions.
409 *
410 * @return the DER-encoded signature algorithm parameters, or
411 * null if no parameters are present.
412 */
413 public abstract byte[] getSigAlgParams();
414
415 /**
416 * Gets the <code>issuerUniqueID</code> value from the certificate.
417 * The issuer unique identifier is present in the certificate
418 * to handle the possibility of reuse of issuer names over time.
419 * RFC 3280 recommends that names not be reused and that
420 * conforming certificates not make use of unique identifiers.
421 * Applications conforming to that profile should be capable of
422 * parsing unique identifiers and making comparisons.
423 *
424 * <p>The ASN.1 definition for this is:
425 * <pre>
426 * issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL<p>
427 * UniqueIdentifier ::= BIT STRING
428 * </pre>
429 *
430 * @return the issuer unique identifier or null if it is not
431 * present in the certificate.
432 */
433 public abstract boolean[] getIssuerUniqueID();
434
435 /**
436 * Gets the <code>subjectUniqueID</code> value from the certificate.
437 *
438 * <p>The ASN.1 definition for this is:
439 * <pre>
440 * subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL<p>
441 * UniqueIdentifier ::= BIT STRING
442 * </pre>
443 *
444 * @return the subject unique identifier or null if it is not
445 * present in the certificate.
446 */
447 public abstract boolean[] getSubjectUniqueID();
448
449 /**
450 * Gets a boolean array representing bits of
451 * the <code>KeyUsage</code> extension, (OID = 2.5.29.15).
452 * The key usage extension defines the purpose (e.g., encipherment,
453 * signature, certificate signing) of the key contained in the
454 * certificate.
455 * The ASN.1 definition for this is:
456 * <pre>
457 * KeyUsage ::= BIT STRING {
458 * digitalSignature (0),
459 * nonRepudiation (1),
460 * keyEncipherment (2),
461 * dataEncipherment (3),
462 * keyAgreement (4),
463 * keyCertSign (5),
464 * cRLSign (6),
465 * encipherOnly (7),
466 * decipherOnly (8) }
467 * </pre>
468 * RFC 3280 recommends that when used, this be marked
469 * as a critical extension.
470 *
471 * @return the KeyUsage extension of this certificate, represented as
472 * an array of booleans. The order of KeyUsage values in the array is
473 * the same as in the above ASN.1 definition. The array will contain a
474 * value for each KeyUsage defined above. If the KeyUsage list encoded
475 * in the certificate is longer than the above list, it will not be
476 * truncated. Returns null if this certificate does not
477 * contain a KeyUsage extension.
478 */
479 public abstract boolean[] getKeyUsage();
480
481 /**
482 * Gets an unmodifiable list of Strings representing the OBJECT
483 * IDENTIFIERs of the <code>ExtKeyUsageSyntax</code> field of the
484 * extended key usage extension, (OID = 2.5.29.37). It indicates
485 * one or more purposes for which the certified public key may be
486 * used, in addition to or in place of the basic purposes
487 * indicated in the key usage extension field. The ASN.1
488 * definition for this is:
489 * <pre>
490 * ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId<p>
491 *
492 * KeyPurposeId ::= OBJECT IDENTIFIER<p>
493 * </pre>
494 *
495 * Key purposes may be defined by any organization with a
496 * need. Object identifiers used to identify key purposes shall be
497 * assigned in accordance with IANA or ITU-T Rec. X.660 |
498 * ISO/IEC/ITU 9834-1.
499 * <p>
500 * This method was added to version 1.4 of the Java 2 Platform Standard
501 * Edition. In order to maintain backwards compatibility with existing
502 * service providers, this method is not <code>abstract</code>
503 * and it provides a default implementation. Subclasses
504 * should override this method with a correct implementation.
505 *
506 * @return the ExtendedKeyUsage extension of this certificate,
507 * as an unmodifiable list of object identifiers represented
508 * as Strings. Returns null if this certificate does not
509 * contain an ExtendedKeyUsage extension.
510 * @throws CertificateParsingException if the extension cannot be decoded
511 * @since 1.4
512 */
513 public List<String> getExtendedKeyUsage()
514 throws CertificateParsingException {
515 return X509CertImpl.getExtendedKeyUsage(this );
516 }
517
518 /**
519 * Gets the certificate constraints path length from the
520 * critical <code>BasicConstraints</code> extension, (OID = 2.5.29.19).
521 * <p>
522 * The basic constraints extension identifies whether the subject
523 * of the certificate is a Certificate Authority (CA) and
524 * how deep a certification path may exist through that CA. The
525 * <code>pathLenConstraint</code> field (see below) is meaningful
526 * only if <code>cA</code> is set to TRUE. In this case, it gives the
527 * maximum number of CA certificates that may follow this certificate in a
528 * certification path. A value of zero indicates that only an end-entity
529 * certificate may follow in the path.
530 * <p>
531 * The ASN.1 definition for this is:
532 * <pre>
533 * BasicConstraints ::= SEQUENCE {
534 * cA BOOLEAN DEFAULT FALSE,
535 * pathLenConstraint INTEGER (0..MAX) OPTIONAL }
536 * </pre>
537 *
538 * @return the value of <code>pathLenConstraint</code> if the
539 * BasicConstraints extension is present in the certificate and the
540 * subject of the certificate is a CA, otherwise -1.
541 * If the subject of the certificate is a CA and
542 * <code>pathLenConstraint</code> does not appear,
543 * <code>Integer.MAX_VALUE</code> is returned to indicate that there is no
544 * limit to the allowed length of the certification path.
545 */
546 public abstract int getBasicConstraints();
547
548 /**
549 * Gets an immutable collection of subject alternative names from the
550 * <code>SubjectAltName</code> extension, (OID = 2.5.29.17).
551 * <p>
552 * The ASN.1 definition of the <code>SubjectAltName</code> extension is:
553 * <pre>
554 * SubjectAltName ::= GeneralNames
555 *
556 * GeneralNames :: = SEQUENCE SIZE (1..MAX) OF GeneralName
557 *
558 * GeneralName ::= CHOICE {
559 * otherName [0] OtherName,
560 * rfc822Name [1] IA5String,
561 * dNSName [2] IA5String,
562 * x400Address [3] ORAddress,
563 * directoryName [4] Name,
564 * ediPartyName [5] EDIPartyName,
565 * uniformResourceIdentifier [6] IA5String,
566 * iPAddress [7] OCTET STRING,
567 * registeredID [8] OBJECT IDENTIFIER}
568 * </pre>
569 * <p>
570 * If this certificate does not contain a <code>SubjectAltName</code>
571 * extension, <code>null</code> is returned. Otherwise, a
572 * <code>Collection</code> is returned with an entry representing each
573 * <code>GeneralName</code> included in the extension. Each entry is a
574 * <code>List</code> whose first entry is an <code>Integer</code>
575 * (the name type, 0-8) and whose second entry is a <code>String</code>
576 * or a byte array (the name, in string or ASN.1 DER encoded form,
577 * respectively).
578 * <p>
579 * <a href="http://www.ietf.org/rfc/rfc822.txt">RFC 822</a>, DNS, and URI
580 * names are returned as <code>String</code>s,
581 * using the well-established string formats for those types (subject to
582 * the restrictions included in RFC 3280). IPv4 address names are
583 * returned using dotted quad notation. IPv6 address names are returned
584 * in the form "a1:a2:...:a8", where a1-a8 are hexadecimal values
585 * representing the eight 16-bit pieces of the address. OID names are
586 * returned as <code>String</code>s represented as a series of nonnegative
587 * integers separated by periods. And directory names (distinguished names)
588 * are returned in <a href="http://www.ietf.org/rfc/rfc2253.txt">
589 * RFC 2253</a> string format. No standard string format is
590 * defined for otherNames, X.400 names, EDI party names, or any
591 * other type of names. They are returned as byte arrays
592 * containing the ASN.1 DER encoded form of the name.
593 * <p>
594 * Note that the <code>Collection</code> returned may contain more
595 * than one name of the same type. Also, note that the returned
596 * <code>Collection</code> is immutable and any entries containing byte
597 * arrays are cloned to protect against subsequent modifications.
598 * <p>
599 * This method was added to version 1.4 of the Java 2 Platform Standard
600 * Edition. In order to maintain backwards compatibility with existing
601 * service providers, this method is not <code>abstract</code>
602 * and it provides a default implementation. Subclasses
603 * should override this method with a correct implementation.
604 *
605 * @return an immutable <code>Collection</code> of subject alternative
606 * names (or <code>null</code>)
607 * @throws CertificateParsingException if the extension cannot be decoded
608 * @since 1.4
609 */
610 public Collection<List<?>> getSubjectAlternativeNames()
611 throws CertificateParsingException {
612 return X509CertImpl.getSubjectAlternativeNames(this );
613 }
614
615 /**
616 * Gets an immutable collection of issuer alternative names from the
617 * <code>IssuerAltName</code> extension, (OID = 2.5.29.18).
618 * <p>
619 * The ASN.1 definition of the <code>IssuerAltName</code> extension is:
620 * <pre>
621 * IssuerAltName ::= GeneralNames
622 * </pre>
623 * The ASN.1 definition of <code>GeneralNames</code> is defined
624 * in {@link #getSubjectAlternativeNames getSubjectAlternativeNames}.
625 * <p>
626 * If this certificate does not contain an <code>IssuerAltName</code>
627 * extension, <code>null</code> is returned. Otherwise, a
628 * <code>Collection</code> is returned with an entry representing each
629 * <code>GeneralName</code> included in the extension. Each entry is a
630 * <code>List</code> whose first entry is an <code>Integer</code>
631 * (the name type, 0-8) and whose second entry is a <code>String</code>
632 * or a byte array (the name, in string or ASN.1 DER encoded form,
633 * respectively). For more details about the formats used for each
634 * name type, see the <code>getSubjectAlternativeNames</code> method.
635 * <p>
636 * Note that the <code>Collection</code> returned may contain more
637 * than one name of the same type. Also, note that the returned
638 * <code>Collection</code> is immutable and any entries containing byte
639 * arrays are cloned to protect against subsequent modifications.
640 * <p>
641 * This method was added to version 1.4 of the Java 2 Platform Standard
642 * Edition. In order to maintain backwards compatibility with existing
643 * service providers, this method is not <code>abstract</code>
644 * and it provides a default implementation. Subclasses
645 * should override this method with a correct implementation.
646 *
647 * @return an immutable <code>Collection</code> of issuer alternative
648 * names (or <code>null</code>)
649 * @throws CertificateParsingException if the extension cannot be decoded
650 * @since 1.4
651 */
652 public Collection<List<?>> getIssuerAlternativeNames()
653 throws CertificateParsingException {
654 return X509CertImpl.getIssuerAlternativeNames(this);
655 }
656 }
|